The performance chart quoted above is a bit obsolete now, 8-10 character long .onions are easy enough to find.

There was a discussion back in the day, when shallot first surfaced, about whether custom names for hidden services are bad or not.

Problem number one: generated keys have a much larger public exponent than the standard keys produced by TOR, which puts a somewhat higher load on the TOR relays.

Answer: it was concluded that the difference is negligible compared to the other encryption tasks the relays perform constantly. In eschalot, the largest public exponent is limited to 4294967295 (4 bytes).

Problem number two: TOR developers can decide to filter and block all the custom names.

Answer: yes, they can, but they have not yet and there is really no reason for them to do so. They can just as easily change the standard for the random names too and cause chaos and mass exodus on the network.

Problem number three: generated names are easily spoofed, since the visitor clicking on a link somewhere out there can be tricked by the seemingly right .onion prefix without checking the whole thing. To demonstrate, which one is the real SilkRoad?

Answer: neither, I generated all of them to demonstrate the problem. If you recognized that those were all fakes, you probably spend more time on the SilkRoad than I care to know about :).

To be fair, completely random addresses are even worse - if somebody edits one of the onion links wikis and replaces one random address with another, the casual visitor using that wiki would not know the difference.

Solution: it's essentially up to the person to pay attention which site he is really visiting, but the site owner can create a human readable address that is easier to remember, even if it's a completely random gibberish. As long as it's long and easy to memorize and identify. Some examples:

I did not spend the time to intentionally generate good names, just picked some from the list I had left after testing eschalot. With a (very) large wordlist, unique looking names are easy to generate, but it will take time to go through
the results and manually locate the ones that are decent.

You can use brute-force to find a key that partly match the hash you want. One tool for this is Shallot. The readme of Shallot says this about the security:

It is sometimes claimed that private keys generated by Shallot are less secure than those generated by Tor. This is false. Although Shallot generates a keypair with an unusually large public exponent e, it performs all of the sanity checks specified by PKCS #1 v2.1 (directly in sane_key), and then performs all of the sanity checks that Tor does when it generates an RSA keypair (by calling the OpenSSL function RSA_check_key).

To get an idea of the time involved in generating with Shallot, also from the readme:

Time to Generate a .onion with a Given Number of Initial Characters on a 1.5Ghz Processor:

7 Chars in Base32 = 32^7 bits of entropy, so you'd need to search (on average) 32^6 (About 1 billion). So, take your average time to compute a key for TOR and times it by a billion.
–
Tinned_TunaJan 28 '13 at 0:10

1

These names are generated in almost the same way that novelty tripcodes are generated on image boards like 4chan.
–
Tom MarthenalJan 31 '13 at 4:23

Adding to Johan Nilsson's answer (as I can't post comments): It seems that even 13-character named .onion URLs have been created, a comment on this Tor blog entry mentions a 13-character onion URL: deeproadworksbwj.onion (don't connect to it, I don't know what it is or if it's good).